codacy-cli-v2/integration-tests/init-with-token/expected/tools-configs/semgrep.yaml at a765c93ce3eb0d86ee3ca36c6c9f2bda393ebfd9 · codacy/codacy-cli-v2 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
rules:
    - id: bash.lang.correctness.unquoted-expansion.unquoted-variable-expansion-in-command
      languages:
        - bash
      message: Variable expansions must be double-quoted so as to prevent being split into multiple pieces according to whitespace or whichever separator is specified by the IFS variable. If you really wish to split the variable's contents, you may use a variable that starts with an underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array, consider using a proper bash array.
      metadata:
        category: correctness
        technology:
            - bash
      patterns:
        - pattern-either:
            - pattern: |
                ... ${$VAR} ...
            - pattern: |
                ... ...${$VAR}... ...
        - metavariable-regex:
            metavariable: $VAR
            regex: '[*@0-9]|[A-Za-z].*'
      severity: INFO
    - id: clojure.lang.security.use-of-md5.use-of-md5
      languages:
        - clojure
      message: MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.
      metadata:
        author: Gabriel Marquet <gab.marquet@gmail.com>
        category: security
        confidence: HIGH
        cwe:
            - 'CWE-328: Use of Weak Hash'
        impact: HIGH
        likelihood: MEDIUM
        owasp:
            - A03:2017 - Sensitive Data Exposure
            - A02:2021 - Cryptographic Failures
        references:
            - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
            - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
        source-rule-url: https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/weak-hash-function-md5.yml
        subcategory:
            - vuln
        technology:
            - clojure
      pattern-either:
        - pattern: (MessageDigest/getInstance "MD5")
        - pattern: (MessageDigest/getInstance MessageDigestAlgorithms/MD5)
        - pattern: (MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)
        - pattern: (java.security.MessageDigest/getInstance "MD5")
        - pattern: (java.security.MessageDigest/getInstance MessageDigestAlgorithms/MD5)
        - pattern: (java.security.MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)
      severity: WARNING
    - fix: Bitwise.bnot($VAL)
      id: elixir.lang.best-practice.deprecated-bnot-operator.deprecated_bnot_operator
      languages:
        - elixir
      message: The bitwise operator (`^^^`) is already deprecated. Please use `Bitwise.bnot($VAL)` instead.
      metadata:
        category: best-practice
        references:
            - https://github.com/elixir-lang/elixir/commit/f1b9d3e818e5bebd44540f87be85979f24b9abfc
        technology:
            - elixir
      pattern: ~~~$VAL
      severity: WARNING
    - id: codacy.generic.plsql.empty-strings
      languages:
        - generic
      message: Empty strings can lead to unexpected behavior and should be handled carefully.
      metadata:
        category: security
        confidence: MEDIUM
        description: Detects empty strings in the code which might cause issues or bugs.
        impact: MEDIUM
      pattern: $VAR VARCHAR2($LENGTH) := '';
      severity: WARNING